framing 2020-07-09 simple...2020/07/09 · framing working group managed with love and patience by...
TRANSCRIPT
FramingNTIA Software Supply Chain
Transparency
Éamonn Ó Muiríhttps://flic.kr/p/46dsiz
https://creativecommons.org/licenses/by/2.0/legalcode
Framing Working
Group
Managed with love and patience by co-chairs Michelle Jump and Art Manion
Meeting almost weekly since July 2018
• Fridays at 1400 EDT
• https://lists.sei.cmu.edu/mailman/listinfo/ntia-sbom-framing
Framing concepts that apply to the entire multi-stakeholder process
2
Michelle Jump
MedSec LLC
Global Regulatory Advisor - Medical Device Cybersecurity
Art Manion
Software Engineering InstituteCERT Coordination Center
Principle Engineer “/” Technical Manager
Agenda
1.Phase 1 summary
2.Activity update
3.Next steps
4.Requests
3
Phase 1: What is an
SBOM?
Framing Software Component Transparency: Establishing a Common Software Bill of Material (SBOM)
https://tinyurl.com/y7s8ab3t
“An SBOM is effectively a nested inventory, a list of ingredients that make up
software components.”
4
Partial Table of Contents
2 What is an SBOM?
2.2 Baseline Component Information
2.4 Component Relationships
4 SBOM Processes
4.1 SBOM Creation: How
4.2 SBOM Creation: When
4.3 SBOM Exchange
4.4 Network Rules
4.6 Applications of SBOMs
Part
Final good
assembled
Compound part
Phase 2: Beyond the
basics
Started November 2019
Several Ongoing Projects
Additional Planned Work
6
https://www.facebook.com/powerofpositivity/posts/10156301474
602371and Roy T. Bennet
Ongoing Activity
• Collaboration between Health Care Proof-of-Concept and Framing
WGs
• Provide upstream SBOMs
• Test Framing Phase 1 concepts
• Documents in progress
• Software Identity Discussion and Guidance
• Sharing and Exchanging SBOMs
• Other threads
• Supplier identification
• The acronym formerly known as “VEX”
7
Naming is Important and Hard
• Currently, there are no global authoritative sources to obtain the values for the Component Name in SBOM data
• Two actors who compile SBOM might use two different values for the same component
• Need to map from SBOM to other data sources (e.g. vuln databases)
• Multiple standards for naming and identity exist and are being deployed (SWID, PURL, SWHID, etc)
• Goal: minimize the problem space and support naming convergence
• Several actors to consider
• Original component supplier
• Secondary authorship
• Downstream users of the data
8
Potential Guidance for Component Identifiers
• We propose a two-step approach
• Preferred case: Existing Supplier or Coordinate namespace
• If there exists an established, well-defined namespace, the component data author should use that
• Includes: package managers, commercial suppliers with clear communication
• Alternate case: use an established software identity standard
• Do not create a new identifier. Please.
• Built from an existing, well accepted naming schema, including, for example:
• SWID tags
• Package URL (purl)
• Software Heritage IDs
9
Advertisement and Discovery
10
Aspects of Sharing Mechanisms
How does the author let people
know where an SBOM is?
File in a well-known location,
extension or MIME type to
indicate format
Well-known URI
Network information, such as
Manufacturer Usage Description
(MUD)
How does the downstream
developer locate the SBOM?
How does the end user retrieve
the SBOM?
What format is the SBOM in? See: Formats and Tooling WG
What search mechanisms might
there be?
#SBOM?
Advertisement and Discovery
“Here’s how to
find my SBOM”
/.well-known/sbom
Icon by User:Manco Capac CC BY-SA 4.0, https://commons.wikimedia.org/w/index.php?curid=5057789
Map By The Opte Project., CC BY 2.5, https://commons.wikimedia.org/w/index.php?curid=1538544
Access
12
Aspects of Sharing Mechanisms
How does one retrieve an SBOM? For the downstream developer,
perhaps ‘git clone’ and look in well
known file or directory
For the end user, HTTP[S],
CoAP[S], OpenC2, email (worst
case?)
What access rights to people
have?
Access controls might include:
• Git permissions
• HTTP authentication (web
token or basic user)
• OpenC2 MQTT group
membership
Open Questions
● Does the SBOM consist of a single file or multiple files?○ If multiple objects, what is retrieved first and how are the other objects
retrieved?
● What are the security considerations for an SBOM?○ Is an SBOM signed?
■ If integral, already retrieved■ If externalized, then the signature needs to be located and retrieved
● Do we understand search well enough?
13
Next Steps
• Continue working on identification and sharing papers
• Contribute to Health Care Proof-of-Concept
• Supplier identification? Registration?• Why? Because it helps with global component identification
• A proper RDF model?
• VEX? What VEX?• Widespread interest, but has been de-prioritized over underlying
fundamentals
• Framing expects to take up VEX, or perhaps a more generic inheritance feature that incudes transitive vulnerability
14
Requests
• Review draft documents, provide comments
• Interested in ongoing or upcoming work? Join us:
• Fridays at 1400 EDT
• Mailing list: https://lists.sei.cmu.edu/mailman/listinfo/ntia-sbom-framing
• Google Drive: https://tinyurl.com/yc3gajzz
• Should we be aware of, coordinating with other efforts?
• Have we identified important gaps from Phase 1?
15